Comments on: True Javascript Sockets?

By: sgware

sgware — Sun, 26 Apr 2009 19:12:17 +0000

Err, sorry… in my above comment, I meant to say (policy-file-request) requests, but the HTML got messed up.

By: sgware

sgware — Sun, 26 Apr 2009 19:11:02 +0000

The problem I’ve always run into in trying to use Flash is the security concerns. You can write a server to handle queries, but that seems overly complicated.

So I decided to use a tiny, invisible Java applet instead:
http://stephengware.com/proj/javasocketbridge

By: Marton

Marton — Tue, 14 Nov 2006 00:18:04 +0000

Seems that Flash 9 has limits, since i can’t use this script either…

anyone who know how to get Flash 8 (not 9)

By: Victor

Victor — Sat, 07 Oct 2006 13:23:06 +0000

It doesn’t really matter if the SWF can be decompiled and reverse-engineered. The worse that can happen is a DOS attack, which is trackable. Besides, anyone could write a plain old JavaScript that will do superfluous polling. It’s up to the CGI app to recognize and deal with flood attacks.

Since AJAX uses Pull methods, I welcome this SWF socket solution — which allows Push applications. This reduces bandwidth costs (for client and server), redundant polling, DOS hacking, and database queries.

By: Chris

Chris — Mon, 17 Jul 2006 05:04:05 +0000

I can use this to connect to a server on localhost, but when I bind that same server to my network IP in order to make it available over the web, SocketJS can no longer connect.

It’s not the router because I’ve DMZ’ed everything to my computer and I can connect to other servers on my computer from the web.

SocketJS won’t even to connect to google:80.

By: manfred

manfred — Sun, 25 Jun 2006 20:08:19 +0000

Danny, do you use flash player version 8? It seems that SetVariable does not work with this version.

By: Danny

Danny — Sat, 24 Jun 2006 13:13:39 +0000

No working:

Error: window.document.socket.SetVariable is not a function
Source File: http://dev.dschini.org/socketjs/
Line: 93

How to make fixing?

By: manfred

manfred — Thu, 22 Jun 2006 18:15:23 +0000

Hi, I just found this article linking to that socket thing i did recently and thought I have to comment some things.
- I used Flash instead of heavy activex or java solution because for me this simply works better and is faster.
- I do not think there is any security issue by decompiling swf socket client sources. You can theoretically sniff any client connection. Does not matter if it is irssi, mirc, xchat. A secure server is important. If you want to implement secure connections or user authentification you might think about a more secure way.
- Developing a multiuser application is difficult. And you cannot compare it with polling (like ajax) or even do benchmarks because that is something completely different.
I do not take SocketJS too serious. I was just playing with it. However I do believe that one could add some nice behaviour to his JS application.
Regards – Manfred

By: Dan

Dan — Thu, 22 Jun 2006 16:23:37 +0000

@Reader: The fact that the SWF can be decompiled isn’t a huge deal. Since they can’t replace your SWF with theirs, the details of what you are doing shouldn’t matter. I was referring to the SWF allowing only certain types of traffic, to certain hosts, at a restricted frequency. By restricting these, you have a chance of keeping this hacked-togehter approach from blowing up in your face.

By: Strass

Strass — Thu, 22 Jun 2006 13:34:44 +0000

DHH mentionned this possibility too during the last Canada on Rails

By: Mr. Curious

Mr. Curious — Thu, 22 Jun 2006 13:01:04 +0000

Has anyone done benchmarks on the performance hit of something like this versus normal polling? Obviously only authenticating a user once and just sending and receiving data would be a lovely alternative to rechecking them everytime they do an ajax call, but how well would this work on a system with hundreds of simultaneous users?

By: Chris

Chris — Thu, 22 Jun 2006 09:54:29 +0000

Hm, that is true, flash CAN be easily decompiled. We’ll just stick with javascript then.

By: Reader

Reader — Thu, 22 Jun 2006 09:19:03 +0000

And the fact that it’s a SWF means that it can easily be decompiled, meaning that all of your functionality, public or not, is wide open to an attacker.

By: Dan

Dan — Thu, 22 Jun 2006 01:59:11 +0000

Yes! Now cross-site scripting attacks will be able to ping my webserver from Taiwan …
No really, don’t say this is a Javascript solution, as Flash is still the driver. You might as well use your ActiveX control or Java at that point. I can see legitimate uses for it, for sure, but people who use it better understand it and lock it down from within the SWF wrapper, or there goes the neighbourhood.

By: Cesp

Cesp — Wed, 21 Jun 2006 23:13:31 +0000

ESPN.com has been using this method for its NFL,NBA,MLB,College Football and College Basketball scoreboards for a couple years.

By: Mario

Mario — Wed, 21 Jun 2006 21:14:41 +0000

they should use the flash feature to expose certain function to the js engine so it can be even easy to cross script.

By: Chris Double

Chris Double — Wed, 21 Jun 2006 21:14:21 +0000

There’s a couple of other libraries that do similar:

http://www.devpro.it/xmlsocket/
http://www.aflax.org/

Chris.

By: jeff

jeff — Wed, 21 Jun 2006 20:48:29 +0000

how is this true javascript? you are mixing it with flash??? this sounds kinda scary too…